WatersWorks by John K. Waters

Oracle Promises To 'Fix' Java

An Oracle executive has promised to "fix" problems with Java that have left Web sites running the Java plugin vulnerable to malicious hackers and resulted in some high-profile security breaches. Speaking with Java User Group (JUG) leaders during a conference call last week, Oracle's senior product security manager, Milton Smith, said that his company cares about Java security, and has been working on the problem and will continue to do so.

"The plan for Java security is really simple," Smith said. "It's to get Java fixed up -- number one -- and then, number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have got to fix Java..."

Oracle has been working to improve Java security, Smith said, though much of that work has not been publicized. He pointed to new security features, such as a slider on the Java control panel that allows users to effectively disable Java on the browser.

And it is the browser -- or rather, browser plugins, which run applets -- that is the focus of Oracle's security efforts, Smith said.

"The area of concern is the plugin -- so that's applets," he said. "A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser. It's the biggest target now. We haven't had those sorts of problems or challenges on the servers or embedded devices."

One caller complained that the media are "very loose when they talk about Java security...when most of the trouble has been in a very specific use case for Java [the browser]."

Smith emphasized the need for better communication about Oracle's efforts to secure Java. He argued that many people "don't understand the features that are out there," and the role the end users play in securing their own computers. He said the company plans to reach out to engineers, IT professionals who run data centers and user groups, such as the one addressed in the call.

Donald Smith, Oracle's director of product management in the OpenJDK group, talked about the possibility of using this year's JavaOne conference to communicate more fully with the community about Oracle's security plans and the community's needs. He asked those in attendance for feedback about the idea of a stand-alone Java security track at the conference.

Milton Smith added that Oracle company doesn't know yet precisely what it wants to communicate, but that calls like this one with the JUG leaders was "laying the ground work" for improved communications in the future.

Oracle has been criticized for its handling of Java security, and questions have arisen about the future of client-side Java. Forrester Research analyst told ADTmag in an earlier interview that the steady surfacing of Java security vulnerabilities could kill any chance that Java will play a bigger role on the desktop or mobile devices in the future. IDC analyst Al Hilwa pointed out that any add-on to a browser is going to increase the surface area for security attacks. But he also pointed out that Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).

"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML 5 for browser applications, so that the browser vendors own the security of the platform end-to-end."